The Cloud Security Alliance has established several projects focused on enabling the manual or automated collection of information to support the “Audit, Assertion, Assessment, and Assurance” of Cloud Service Provider IaaS, PaaS, and SaaS environments.

The Cloud Security Alliance Governance, Risk Management and Compliance (GRC) Stack (or supporting initiatives) is a combination of three products (Cloud Control Matrix, Consensus Assessments Initiative, CloudAudit, and the CloudTrust Protocol) provides “a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements” (including access to necessary supporting artifacts).

Cloud Control Matrix

“The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The Cloud Controls Matrix provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Cloud Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST, and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.” For additional information on the Cloud Control Matrix (CCM), refer to Cloud Security Alliance website.

Consensus Assessments Initiative

“The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. We are focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners.” For additional information on the Consensus Assessments Initiative (CAI), refer to Cloud Security Alliance website.


“The goal of CloudAudit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology.” For additional information on the CloudAudit API, refer to CloudAudit website.”

CloudAudit Tools

  • Pre-Bundled Compliance Packs
  • Python Scripts

CloudTrust Protocol

“The CloudTrust Protocol (CTP) is the mechanism by which cloud service consumers (also known as “cloud users” or “cloud service owners”) ask for and receive information about the elements of transparency as applied to cloud service providers.” For additional information on the CloudTrust Protocol, refer to Cloud Security Alliance website.